npm audit false positive flag #11995
-
Hi all, here's what my audit says:
Problem is that I run AuthJS 5.0.0-beta.22 so downgrading to NextAuth 4.24 isn't really an option. Or am I missing something here? I tried the --force just to see what would happen and it broke the app as expected. Also: AuthJS 5 has been on beta.22 for what, a year at least now? But NextAuth is still getting regular releases. Is v5 still being developed or did I make a mistake by jumping onto the AuthJs train too early 🙂 Thanks for any tips! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 5 replies
-
I'd say I have the same problem with |
Beta Was this translation helpful? Give feedback.
-
I can see that https://www.npmjs.com/package/@auth/core?activeTab=code But I cannot find anywhere how to update AuthJs to use this new version of In fact I cannot find any documentation on how to update version of AuthJs. Throw into the mix that NPM seem to think that AuthJs = Next-Auth and that on the GitHubh page both Next-Auth and AuthJs are linked to the same repo I've just been going around in circles for 2 days now. My only guess is I could manually update dependencies in my package-lock file. Honestly I'm a little surprised I seem to be the only one suffering from this. No answers on either Discord or here - on a security issue in an Auth library. Starting to doubt whether I made the right choice opting for this library. |
Beta Was this translation helpful? Give feedback.
-
If people want to get rid of the @chris-at-lemon this is not a security issue in Also; version 5.0.0-beta.22 was released two weeks ago; https://github.com/nextauthjs/next-auth/releases/tag/next-auth%405.0.0-beta.22 and not a year ago. Just a quick glance at the commits in this repository will tell you that there is much active development going on. |
Beta Was this translation helpful? Give feedback.
-
TLDR; To clarify there is no vulnerability because of the @WikiRik appreciate the assist/explanation!
@chris-at-lemon please never report a potential vulnerability in a GitHub discussion or any public platform before consulting the maintainers per their security policy. We have such document here https://authjs.dev/security We never use user-provided values for name/domain/path of our cookies, it's all server-side. That said, imagine if it was an actual issue. I haven't seen this message before now, a day after you posted it, and only because someone tagged me. it's 2am here and am going to bed. If it was an actual issue, I would have to stay up the whole night to patch. had to done it before, it's unpleasant. 🙏 Besides, these kind of public reports often create unnecessary fear. I have 100+ github mentions a day, unfortunately I cannot monitor all of them realistically/humanly, I wish I could. No hard feelings, I'm just starting to emphasize the importance of reading the docs, especially in security sensitive cases like this. I hope we learnt something today. 💚 |
Beta Was this translation helpful? Give feedback.
next-auth
version 5.0.0-beta.22 ships with 0.35.3 of@auth/core
which is was the newest version at that time. It is now updated to 0.36.0 andnext-auth
just takes the version from the workspace; https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/package.jsonOnly thing that needs to be done imo is release a new beta of
next-auth
and the release pipeline will automatically update the version of@auth/core
used.@balazsorban44 can you run the pipeline for a new beta release of
next-auth
?If people want to get rid of the
npm audit
message right now, with a bit of manual patching, you can use theoverrides
functionality in NPM; https://docs.npmjs.com/cli/v10/configuring-npm/…